Privacy Policy
1pc is operated by [YOUR LEGAL ENTITY NAME], a company registered in England and Wales.
Company number: [NUMBER] | Registered address: [ADDRESS]
Data Protection Contact: [EMAIL]
1. Overview
This Privacy Policy explains how 1pc collects, uses, stores, shares, and protects personal data when you use our platform. It applies to all visitors, account holders, and anyone whose personal data is processed through the platform.
We are committed to protecting your privacy and processing your data lawfully, fairly, and transparently. We only collect data we need, we keep it only as long as necessary, and we never sell it.
This policy should be read alongside our Terms of Service. Where we act as a data processor on your behalf (for example, when you store your customers' contact details on the platform), the Data Processing Agreement in Schedule 1 of the Terms of Service governs that processing.
2. Who We Are
For the purposes of UK data protection law, the data controller is:
[YOUR LEGAL ENTITY NAME]
Registered in England and Wales, company number [NUMBER]
Registered address: [ADDRESS]
Data protection contact: [EMAIL]
We have not appointed a Data Protection Officer as we do not currently meet the threshold requiring one under UK GDPR. Our data protection contact handles all privacy enquiries and can be reached at the email address above.
3. Data We Collect
We collect different types of data depending on how you interact with the platform.
3.1 Data You Provide Directly
| Category | Examples | When Collected |
|---|---|---|
| Account information | Name, email address, password (hashed), business name, business type | Account creation and profile updates |
| Business information | Business model, pricing, goals, capacity, services offered, operating area | Onboarding and ongoing use of the intelligence layer |
| Financial data | Invoice amounts, payment records, revenue figures, expense data | Creating invoices, recording payments, financial reporting |
| Customer and contact data | Names, email addresses, phone numbers, addresses, notes, communication history of your customers and contacts | When you add or import contacts |
| Work and scheduling data | Job details, quotes, bookings, calendar entries, line items | Managing work through the platform |
| Communications content | Invoices, quotes, and reminders sent through the platform | When you send transactional emails via the platform |
| Support communications | Messages and attachments you send to our support team | When you contact us for help |
3.2 Data We Collect Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, actions taken, session duration, frequency of use | Understanding how the platform is used and improving it |
| Device and browser data | IP address, browser type and version, operating system, device type, screen resolution | Security, troubleshooting, and platform optimisation |
| Log data | Server logs, error reports, access timestamps | Security monitoring, debugging, and service reliability |
| Authentication data | Login timestamps, session tokens, magic link usage | Account security and fraud prevention |
3.3 Data from Third Parties
If you connect third-party services to the platform (such as a bank feed, accounting software, or payment processor), we may receive data from those services as necessary to provide the integration. The data received depends on the specific integration and the permissions you grant. We only request the minimum data required.
3.4 Data We Do Not Collect
We do not knowingly collect special category data (such as health, biometric, or political data) unless you choose to include it in free-text fields. We do not collect data from children under 18. We do not purchase data from third-party brokers.
4. How We Use Your Data
We process your personal data for the following purposes and on the following lawful bases under UK GDPR:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Providing the platform | Contract (Art. 6(1)(b)) | Processing necessary to deliver the services you have signed up for, including account management, invoicing, scheduling, and all core features. |
| AI-powered features | Contract (Art. 6(1)(b)) | Processing your business data through AI systems to provide personalised suggestions, analysis, and decision support as part of the platform's core functionality. |
| Sending transactional emails on your behalf | Contract (Art. 6(1)(b)) | Processing necessary to send invoices, quotes, and reminders to your customers as instructed by you. |
| Platform improvement | Legitimate interest (Art. 6(1)(f)) | Analysing aggregated and anonymised usage patterns to improve features, fix issues, and inform product development. We do not use identifiable personal data for this purpose. |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Monitoring for suspicious activity, preventing unauthorised access, and maintaining the integrity of the platform. |
| Customer support | Contract (Art. 6(1)(b)) | Processing necessary to respond to your enquiries and resolve issues. |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Processing required to comply with applicable laws, regulations, or legal proceedings. |
| Marketing communications | Consent (Art. 6(1)(a)) | Sending you updates about 1pc, new features, or content. You can withdraw consent at any time. |
| Billing and payments | Contract (Art. 6(1)(b)) | Processing payment information to manage your subscription. |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. You may request details of these assessments by contacting us.
5. AI and Automated Processing
The platform uses artificial intelligence to provide personalised features. This section explains how AI interacts with your data.
5.1 How AI Processes Your Data
When you use AI-powered features, the platform sends relevant context from your business data to our AI provider to generate responses, suggestions, or analysis. This may include your business model, pricing, customer information, and work history as needed to produce relevant output.
5.2 AI Provider
We use Anthropic's Claude API as our AI provider. Data sent to Anthropic for processing is subject to Anthropic's data usage policies. Under our commercial agreement with Anthropic, data submitted through the API is not used to train their models.
5.3 What AI Does Not Do
- Your data is not used to train general-purpose AI models.
- AI does not make automated decisions that produce legal or similarly significant effects on you without human involvement.
- AI-generated output is presented as suggestions for your review, not as final decisions.
- We do not use AI to profile you for marketing, credit scoring, or any purpose beyond providing the platform's features.
5.4 Alignment Scoring
The platform includes an alignment scoring feature that compares your actions and decisions against your stated business goals. This is an assistive feature designed to prompt reflection, not an automated decision-making process. Scores are advisory only and you are free to disregard them.
6. Who We Share Your Data With
We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Hosting provider (Supabase) | Database hosting and storage | Data stored in EU/UK data centres. Encryption at rest and in transit. Data Processing Agreement in place. |
| AI provider (Anthropic) | Processing data for AI-powered features | Commercial API agreement. Data not used for model training. Processed under contract. |
| Email delivery (SendGrid) | Sending transactional emails on your behalf | Data Processing Agreement in place. Data processed only for delivery purposes. |
| Payment processor | Subscription billing | PCI DSS compliant. We do not store your full payment card details. |
| Analytics (if applicable) | Aggregated platform usage analysis | Anonymised and aggregated data only. No personal identifiers shared. |
| Legal and regulatory authorities | Compliance with legal obligations | Only when required by law, regulation, or valid legal process. |
| Professional advisors | Legal, accounting, or audit services | Bound by professional confidentiality obligations. |
If we engage a new sub-processor, we will update this policy and, where required by the Data Processing Agreement, notify you in advance.
7. International Transfers
We aim to process and store your data within the United Kingdom and the European Economic Area. Where data is transferred outside these regions (for example, to AI processing infrastructure), we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses.
- Adequacy decisions by the UK Secretary of State or the European Commission.
- Binding corporate rules or other approved transfer mechanisms.
You may request details of the specific safeguards applied to any international transfer by contacting us.
8. Data Retention
We retain your data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of your account plus 30 days | Required to provide the service and allow data export on closure |
| Business and work data | Duration of your account plus 30 days | Core platform data; exportable on account closure |
| Financial records (invoices, payments) | Duration of your account plus 6 years | UK tax and accounting obligations (HMRC requirements) |
| Transactional email records | Duration of your account plus 12 months | Delivery verification and dispute resolution |
| Server and security logs | 12 months | Security monitoring and incident investigation |
| Support communications | Duration of your account plus 24 months | Continuity of support and quality assurance |
| Backup copies | 90 days after deletion from active systems | Disaster recovery |
| Marketing consent records | Duration of consent plus 24 months | Demonstrating lawful consent under UK GDPR |
After the applicable retention period, data is securely deleted or anonymised so that it can no longer be associated with you.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data. These rights apply to data for which we are the data controller (your account data, usage data, and similar). For data you store about your own customers, you are the controller and must handle rights requests from those individuals directly.
| Right | What It Means |
|---|---|
| Access | You can request a copy of the personal data we hold about you. |
| Rectification | You can ask us to correct inaccurate or incomplete data. |
| Erasure | You can ask us to delete your data where there is no compelling reason for us to continue processing it. |
| Restriction | You can ask us to restrict processing of your data in certain circumstances. |
| Data portability | You can request your data in a structured, commonly used, machine-readable format. |
| Objection | You can object to processing based on legitimate interest. We will stop unless we have compelling grounds to continue. |
| Withdraw consent | Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of prior processing. |
| Automated decision-making | You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently make such decisions. |
9.1 How to Exercise Your Rights
To exercise any of these rights, contact us at [EMAIL]. We will respond to your request within one month. If your request is complex or we receive a high volume of requests, we may extend this by a further two months, and we will let you know.
We may ask you to verify your identity before processing your request. We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
9.2 Data Export
The platform provides a data export feature that allows you to download your data in a structured format at any time. This is separate from your formal right of access but is designed to make portability straightforward.
9.3 Right to Complain
If you are not satisfied with how we handle your data or respond to your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
10. Cookies and Tracking Technologies
We use a limited number of cookies and similar technologies. We do not use tracking cookies for advertising purposes.
| Type | Purpose | Duration | Consent Required |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security | Session or up to 30 days | No (essential for platform operation) |
| Functional | Remembering your preferences and settings | Up to 12 months | No (legitimate interest) |
| Analytics | Understanding platform usage in aggregate | Up to 12 months | Yes |
You can manage cookie preferences through your browser settings or through the cookie consent mechanism on the platform. Disabling strictly necessary cookies may prevent the platform from functioning correctly.
We do not use third-party advertising cookies. We do not participate in cross-site tracking or real-time bidding.
11. Children
The platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.
12. Security
We take the security of your data seriously and implement appropriate technical and organisational measures in line with industry best practices. These include:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest using AES-256 or equivalent.
- Password hashing using industry-standard algorithms (never stored in plain text).
- Access controls limiting data access to authorised personnel on a need-to-know basis.
- Multi-factor authentication support for user accounts.
- Regular security assessments and dependency monitoring.
- Incident response procedures with defined escalation paths.
- Secure development practices including code review and testing.
No system is completely secure. While we implement robust safeguards, we cannot guarantee absolute security. We encourage you to use a strong, unique password and enable multi-factor authentication.
13. Third-Party Links and Services
The platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy applies only to data processed by 1pc. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party service you connect to or access through the platform.
14. Your Customers' Data
When you store your customers' or contacts' personal data on the platform, you are the data controller for that data. We process it on your behalf as a data processor, in accordance with the Data Processing Agreement in Schedule 1 of our Terms of Service.
As the data controller, you are responsible for:
- Having a lawful basis for collecting and processing your customers' data.
- Providing appropriate privacy notices to your customers.
- Handling data subject access requests and other rights requests from your customers.
- Ensuring the data you store is accurate, relevant, and not excessive.
- Complying with all applicable data protection laws in relation to that data.
We provide the platform and infrastructure to help you manage this data securely, but the legal responsibility for how you collect and use your customers' data remains with you.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the platform, or applicable law. When we make material changes, we will notify you by email or through the platform at least 30 days before the changes take effect.
The "Last Updated" date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically.
Previous versions of this policy are available on request.
16. Contact Us
If you have any questions about this Privacy Policy, want to exercise your rights, or have a concern about how we handle your data, please contact us:
[YOUR LEGAL ENTITY NAME]
Data Protection Contact
[Registered Address]
[Email Address]
We aim to respond to all privacy-related enquiries within 5 working days and to formal rights requests within one month.
--- End of Privacy Policy ---